samczsun

Highlights

• SushiSwap

  1M USDC bounty for assistance in discovering and mitigating a Miso vulnerability

  "Sam helped mitigate $350M in potential financial losses and we are very grateful and even happy to pay this bounty."

• Fuse

  Tracked down the source of the $80M Fuse hack

  "Fuse added a faily sophisticated system for global reentrancy protection on top of the forked Compound contracts, but the exitMarket() method was missing a reentrancy check. (Credit to @samczsun for tracking it down)"

• Geth

  Identified multiple vulnerabilities in go-ethereum

  "What if you could hard fork the Ethereum blockchain with a snap of your fingers?"

Security research posts

samczsun.com

Hiding in Plain Sight

Most people trust, but how many people verify?

samczsun.com

Two Rights Might Make A Wrong

Too much raw fish doesn't make a better roll of sushi.

samczsun.com

The Dangers of Surprising Code

The only thing worse than a bug in your code that breaks everything is a bug in your code that subtly breaks one thing.

Open source contributions

• OpenChain

  A collection of open source tools. Look up unknown function selectors or event topics, a transaction tracer, and tools for encoding/decoding ABI data

  • GitHub
  • openchain.xyz

In the press

medium.com

The 'U Up?' Files with samczsun

Few names strike more fear into the hearts of blackhats than samczsun, known as perhaps the most prolific whitehat in DeFi security.

cointelegraph.com

Attacker hijacks Tornado Cash governance via malicious proposal

The total control over Tornado Cash governance allows the attacker to withdraw all of the locked votes, drain all of the tokens in the governance contract and brick the router.

tokenlon.medium.com

Tokenlon 4.0 fee incident disclosure

medium.com

Fixed: potential vulnerability in contract used during private beta

medium.com

Sorbet Finance Vulnerability Post Mortem

How the Gelato team and honorable community members rescued $27M at risk from an attacker.